7 Myths of Healthcare Cloud Security Debunked

The Cloud Is Beginning To Gain Favor

Cloud computing could be the next game-changer in healthcare – but not if healthcare IT professionals don’t overcome their deep-rooted aversion to the cloud. A conventionally risk-averse industry, healthcare has been relatively slow to adopt the cloud, citing security and privacy concerns. According to MarketsandMarkets, despite a slow start, healthcare providers are predicted to spend $5.4 billion on cloud services by 2017.

Don’t let these common myths stall your healthcare cloud initiative

As regulation pushes the industry toward storage, collaboration and accessibility, the cloud becomes even more attractive since it’s often safer and more versatile than on-premises solutions. Health information exchanges also are contributing to the need for interconnected electronic medical record systems to ensure easy access to patient data. As a result, cloud-based software-as-a-service models are beginning to grow.

According to a June 2014 HIMSS Analytics Cloud Survey, 83 percent of 150 industry respondents said they currently use at least some cloud services. Another 9 percent plan to use the cloud, and just 6 percent don’t plan to try cloud services. Despite the growth in cloud-based services, 61 percent of healthcare IT respondents indicated security is still a top concern.

Many of the concerns about cloud computing security are more myth than fact. Let us debunk seven of them.

Myth #1: The Cloud isn’t Secure Enough for Healthcare

A long-held perception exists in healthcare that cloud systems are inherently less secure than traditional on-premises systems. While both enterprise systems and cloud systems have an equal chance of being attacked, data shows that cloud-based systems are actually more secure than their on-premises counterparts. According to Alert Logic’s 2012 Cloud Security Report, on-premises users experience an average of 61.4 attacks per year while service-provider/cloud customers experience an average of only 27.8 attacks annually.

The reason there are fewer attacks is because of better safeguards in the cloud, says Chris Bowen, chief privacy officer, ClearDATA. “With the cloud, the data centers have specialized safeguards such as perimeter controls, cameras, armed guards, biometrics, interconnected room locks, man traps, multiple pipes for bandwidth, massive UPSs and multiple power grids, which are things even large hospital systems have a hard time providing,” he says.

Myth #2: All Cloud-based Infrastructures are Created Equal

The cloud infrastructure can generally be boiled down to three components: network, storage, and computing. Each component must be purpose built for healthcare and with the use case in mind.

“In healthcare, networks must be secure, highly redundant, and designed to support ‘burstability’ and have communications ports designed for shared use,” Bowen says. “But they must also be actively monitored and logged. Some cloud environments may be built with many of these features, but the logging requirements in healthcare often require other solutions to enable the logs to be kept, protected and archived according to specific data retention policies dictated by Health Information Trust Alliance (HITRUST), Omnibus and the Privacy and Security Rules.

Myth #3: Data in the Cloud is More Vulnerable to Hackers

In reality, data in the cloud is less susceptible when it is properly encrypted and secured. But it really depends on the cloud provider.

“Understanding how the provider approaches defense in depth from an administrative, technical and physical perspective is critical,” Bowen says. “Just as essential are the operating principles that the organization has developed to support a healthcare cloud. On-premises strategies are challenged to provide similar levels of service.”

Because IT security is not the core competency of most healthcare providers, turning to cloud providers can pay off since they focus on security extensively – particularly cloud providers that focus on healthcare clients. The investment of resources and staffing by cloud-based providers is difficult to match with in-house employees. Additionally, HITRUST-certified vendors are particularly attractive given the rigorous certification process vendors endure.

Myth #4: Data in the Cloud is Accessible to Other Organizations Using the Same Cloud

In reality, data in the cloud is less susceptible when it is properly encrypted and secured. But it really depends on the cloud provider.

“Understanding how the provider approaches defense in depth from an administrative, technical and physical perspective is critical,” Bowen says. “Just as essential are the operating principles that the organization has developed to support a healthcare cloud. On-premises strategies are challenged to provide similar levels of service.”

Because IT security is not the core competency of most healthcare providers, turning to cloud providers can pay off since they focus on security extensively – particularly cloud providers that focus on healthcare clients. The investment of resources and staffing by cloud-based providers is difficult to match with in-house employees. Additionally, HITRUST-certified vendors are particularly attractive given the rigorous certification process vendors endure.

Myth #5: Data that Resides in the Cloud can’t be Controlled or Mined by Providers

This myth might be the most important to debunk.

“What contributes to the perception that the cloud may not be as secure or may have some level of risk is the lack of visibility and the loss of control,” Sadowski says. “The best way to ensure you have control is to extend the internal controls that you already trust into the cloud. For instance, make sure you have the same authentication, user management and access management capabilities in the cloud that you do with your on-premises solution.”

Any cloud environment should allow you to maintain an auditable chain of custody for your data. “Any cloud provider that cannot guarantee this for you will put you at risk if you are ever audited by the ONC or investigated by the OCR,” Bowen says. “Once data enters the cloud, it might traverse many different data centers and geographic regions, be hosted multiple places simultaneously or be dynamically relocated as needed.”

"Once data enters the cloud, it might traverse many different data centers and geographic regions, be hosted multiple places simultaneously or be dynamically relocated as needed."

Chris Bowen, Chief Privacy Officer, ClearDATA.

Myth #6: Identity and Access Management is a Headache with Cloud-based Systems

In truth, it’s not difficult to extend a provider’s existing identification and authentication framework to a cloud environment. There are specific technologies (such as LDAP, SAML, Cloud Access Security Brokers, etc.) in the marketplace that can enable central identity management in the cloud. Network traffic settings also can help enable these technologies.

“Based on research we’ve seen, we know that healthcare providers have to increasingly adopt the cloud in order to meet the infrastructure requirements mandated by regulations and to cope with rising costs,” Bowen says. “They can’t necessarily meet infrastructure requirements with hardware-based solutions in their basement.”

Myth #7: I Can’t Trust a Cloud Provider Like I Can Trust My Own People

This myth might be the most important to debunk.

“What contributes to the perception that the cloud may not be as secure or may have some level of risk is the lack of visibility and the loss of control,” Sadowski says. “The best way to ensure you have control is to extend the internal controls that you already trust into the cloud. For instance, make sure you have the same authentication, user management and access management capabilities in the cloud that you do with your on-premises solution.”

Any cloud environment should allow you to maintain an auditable chain of custody for your data. “Any cloud provider that cannot guarantee this for you will put you at risk if you are ever audited by the ONC or investigated by the OCR,” Bowen says. “Once data enters the cloud, it might traverse many different data centers and geographic regions, be hosted multiple places simultaneously or be dynamically relocated as needed.”